From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Thu Dec 06 2001 - 19:01:22 GMT-3
Bryan,
You don't have much choice if you want any other protocol than IP
encapsulated. If security is not an issue, GRE without IPSEC would save you
from extra overhead. However if security is an issue, you have to use IPSEC
on GRE tunneled traffic to secure it. GRE doesn't address security and IPSEC
doesn't address any other protocol than IP.
Hope this helps.
Sam Munzani
CCIE # 6479, CCDP, CCNP, CISSP, CCSE, SCO ACE
> Yep, that is definitely a nice feature of Cisco's implementation of IPSec
> tunnels, that they can re-encapsulate several encapsulation types
including
> GRE into an IPSec tunnel. For my job I design and configure VPNs on
Lucent's
> VPN routers and they can only re-encapsulate IP packets in IPSec. As my
> company prepares to offer Cisco VPNs we have alot of interested clients,
so
> I have to make sure I am prepared to implement a large scale Cisco VPN
with
> all of the bells and whistles we could offer with the Lucent VPN solution.
> We do alot of stuff where we send routes to a tunnel interface not next
> hops. The reason we do this is so that the company can have all of their
> spoke sites locked down except for IPSec and IKE via an ACL. Then for
> traffic destined for the internet the spoke sites would have a default
route
> via the tunnel to the hub site. Then at the hub site you can have a
> centrally located firewall for all Internet traffic. When you build
tunnels
> on the Lucent box you build instances of IPSec for each tunnel. Then when
we
> go to route down the tunnel in Cisco terminology we would do something
like
> below.
> example:
> ip route 0.0.0.0 0.0.0.0 ipsec.15
> The thing is when you create an IPSec tunnel on a Cisco box you don't get
a
> virtual tunnel interface. I just wonder if you must build a GRE tunnel and
> encapsulate twice to do something like this, which seems like unneeded
> additional overhead? I am also trying to find documentation on the way
Cisco
> recommends doing something like this? I am very excited for the new Cisco
> VPN book to come out one Dec.15th, but until then...
> Sorry for the long winded message.
> Thanks
>
> >>>Brian
>
>
> >From: "Larson, Chris (Contractor)" <Chris.Larson@ed.gov>
> >To: 'Brian Lodwick' <xpranax@hotmail.com>
> >Subject: RE: VPN questions
> >Date: Thu, 6 Dec 2001 15:34:13 -0500
> >
> >The interesting things to do are like to put IPX through an IPSEC tunnel.
> >Not terribly complicated once you know how or putting only Telnet or TCP
on
> >certain ports though. Not really sooo complex but it makes the config a
> >little more interesting.
> >
> >
> >
> >-----Original Message-----
> >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> >Sent: Thursday, December 06, 2001 3:13 PM
> >To: ccielab@groupstudy.com
> >Subject: VPN questions
> >
> >
> >I would like to find out how people are configuring their VPN's so that
> >they
> >
> >can come up with complex situations.
> >
> >Is there a way to configure static routes to go down a certain tunnel?
> >
> >Since Cisco has implemented IKE keepalives into the newest code, does
> >anyone
> >
> >know if you can configure HSRP to track the IPSec tunnel?
> >
> >Can use policy routing pointing to tunnel interfaces?
> >
> >Has anyone succesfully implemented a design running a routing protocol
over
> >the tunnels on a large scale fully meshed VPN?
> >
> >Has anyone done any testing to determine the impact using different
> >transform sets has on throuput?
> >
> >Have you run into any bugs?
> >
> >Anything else interesting?
> >
> > >>>Brian
> >
> >
> >
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:39 GMT-3